System iNetwork

June 26, 2007

Is Privacy Becoming an Ethical Dilemma for IT?

If you're an IT person, you should be quite aware of how serious a problem such issues as corporate data breaches, excessive employee use of corporate computing equipment to conduct personal business, and internal snooping by unscrupulous or just nosy fellow employees have become. That naturally leads to interest in methods of combatting these problems, such as data encryption software, corporate monitoring of Internet use, and security controls on data access.

On the other hand, particularly in the U.S., there has been a general drift in the culture away from too much "Big Brotherism," a fear that too much information in the hands of the government (and by implication, any authority figure) might end up being bad for us as individuals. This concern paradoxically grows as computer technology gets better, and with it, the ability of strangers to learn more about us than we're comfortable with them knowing. Although the tragedy of 911 has made us all grudgingly willing to put up with more security checks when we're travelling, and the knowledge that hackers and phishers are out there make us more wary about checking that the means of transmitting our financial information is secure and legitimate, most of us are still of the "OK, that far but no farther" mentality about security.

But I wonder if, for IT people in particular, there isn't actually a disconnect happening between our professional attitudes toward privacy and those that we hold as private individuals? More specifically, doesn't the very idea of, for example, monitoring fellow employees' communications, raise some ethical issues in and of itself?

Four studies bring out the contrasts. (I should point out that none of these were done by companies offering System i products, but the idea I'm trying to get at is as valid for IT shops using System i machines as it is for those using any other platforms.) The first one was released last fall by Palisade Systems ( http://www.palisadesys.com ), a manufacturer of content and network-security appliances. "Sounding the Alarm on Internal Threats to Consumers' Sensitive Data and Employers' Proprietary Information" surveyed respondents in 171 government, university, and commercial organizations about internal organizational security hazards. What's significant is that among the corporate participants at U.S. commercial organizations, response was unanimous that all employee communications at work should be monitored to insure that proprietary company data, or identifying customer data such as Social Security numbers, weren't being transmitted. (Interestingly, only 11 percent of the respondents working for government agencies agreed with this stance.)

A second study, which I point to not because of any particular results but because it's typical of many you've probably read about over the past few years, was done by Vericept Corporation ( http://www.vericept.com ) and released last week. Titled "The Case for Data Leakage Prevention," it surveyed 206 security professionals at organizations with at least 1,000 employees in 21 vertical industries about the consequences of data loss. Nearly a third of the respondents reported a data breach in the last year and one-third of those people said the data breach caused a "direct loss of revenue." (Ten percent of respondents said they didn't know for sure if a data breach had taken place!)

The third study was commissioned by the Society for Human Resource Management ( http://www.shrm.org ) this year and reports the result that an average of one hour a day is lost to "cyberslacking" by employees engaging in such activities as looking up information of personal interest on the Internet, playing games, or writing e-mail messages to family and friends.

The final study I'll quote was released in November 2005 by WeComply ( http://www.wecomply.com ), a provider of business ethics and compliance training. This one asked 1,000 U.S. workers if they thought their personal computer activities at work remained personal or became their employers' business records. As you and I know, personal e-mails, Instant Messages, and personal web searches DO become employer business records simply because they're carried out on the employer's equipment. But more than half of those surveyed didn't know personal e-mail and unsent files become business records, 40 percent didn't realize personal web searches become business records, and two-thirds didn't realize that personal IMs to friends become business records.

Let's set aside the arguments that we don't know how valid the methodologies, the sampling techniques, the question wordings, and other aspects of how these surveys were conducted are. The specific numbers almost certainly aren't entirely accurate and some of the surveys are admittedly a bit old. But I think the tendencies they report are valid. And what do those tell us?

Unauthorized data transmissions and cyberslacking are real. The Vericept study and others like it show the problems are serious and must be addressed. The Palisade study shows an overwhelming majority of IT people think employee communications, and I think by implication Internet activities, must be monitored by a human to prevent abuses. Personally, I hate this idea, but isn't responsibility to the enterprise pushing IT in that direction? And doesn't mere contemplation of any monitoring program raise at least two ethical problems for all IT people?

First, given most people's expectations of privacy, and particularly in light of the large numbers of
end users in the WeComply study who seem clueless about the line between what's business and what's personal, isn't any monitoring program going to be viewed as a violation of trust by most of your end users? What a boost to IT's image that'll be! Granted, employees should know better than to use company computers and software for personal activities, but don't we all do things occasionally that we know we shouldn't? More to the point, doesn't this state of affairs mandate that if an enterprise institutes a monitoring policy, that fact needs to be regularly and publicly (and maybe even loudly) stated to the end user community? And doesn't it mean that secret monitoring should be considered unethical, no matter how high-minded the motivation?

Second, is IT really up to the task? I'm not talking about YOU, of course. We're professionals who would never, if assigned the job of monitoring our fellow employees' e-mail messages, read entire messages we thought were of a personal nature so long as we could tell no corporate or personal identification was contained in them. But what about that guy three cubes down who's always dishing the gossip and wondering out loud about the character of people who would do whatever it is he's on his soapbox about today? Would you want him reading all of your e-mail messages? After all, you're an employee like any other. You'd have to be included in any monitoring program, too. Or how about that woman who, most times when you walk into her space, just happens to be shutting down her browser, but not fast enough that you don't get a flash of that eBay logo? Should she be the one deciding whose Internet use is appropriate to the business? So if IT is going to be responsible for any kind of monitoring program, doesn't there need to be some sort of code of ethics or standards for the watchers? Which leads inexorably to the IT version of that classic dilemma: Who will enforce that code?

Monitoring employee computer activity seems necessary. Eventually it may become unavoidable. Any company that doesn't is being foolish, given just the risks and regulations we know about already. But doesn't IT have at least an ethical, and perhaps even moral, obligation to its users to do this very publicly and with careful consideration of end-user sensibilities?

Posted by at June 26, 2007 11:50 AM